Are you interested in SOC services but unsure what will be asked from you if internal control deficiencies are found? We all know the scary words “qualification” or “misstatement”, but what about the less scary but still important term: deficiency? This is also known as a “finding” or “gap” and a deficiency can also be an “exception.” In this article, we’ll discuss the lifecycle of deficiency analysis, from detection to prevention, and everything in between. We’ll also cover the questions that you may be asked by your auditor along the way.
Every environment is different and so is every deficiency, but there are some questions that can generate the necessary information to include in your deficiency analysis.
- What is an audit deficiency?
- Who assesses the control deficiency?
- How is a control deficiency assessed?
- How is unmitigated risk addressed?
- What is the root cause of the deficiency?
- What if there are multiple deficiencies?
- How do we remediate the audit deficiency?
- When does the auditor retest the control?
- How will a deficiency show up in the SOC 2 report?
- Can the auditor identify deficiencies in internal control?
- How do you prevent deficiencies?
- What are other examples of SOC 2 deficiencies?
What Is An Audit Deficiency?
A deficiency occurs when the design or operation of a control does not perform as intended. There are a series of steps and considerations when evaluating an internal control deficiency. A control is designed when a process is formally documented, such as in a policy, and implemented. An auditor will test implementation by selecting a sample of one to corroborate that the design of the control matches what occurred in the sample of one. Operating effectiveness is how the control operates over multiple occurrences or a longer period of time.
Who Assesses the Control Deficiency?
You may be wondering who facilitates the assessment of deficiency analysis. The auditor may lead discussions using questions around the control deficiency, but management is responsible for performing mitigating and remediating procedures. Management will be responsible for understanding their environment well enough to suggest mitigating and compensating controls and to implement new controls, if needed.
How Is a Control Deficiency Assessed?
To help provide an understanding of the deficiency analysis lifecycle, let’s use an example deficiency as we walk through the following considerations.
Example audit deficiency: On April 1st, a user was provisioned inappropriate access (administrator role) compared to what is required for their job responsibilities.
This is one of the many times when risk matrices are beneficial. When a deficiency occurs, an up-to-date risk matrix will highlight the risks that were mitigated by the [now deficient] control. These are the risks that need to be mitigated. From our example, the company can mitigate the risk around the deficiency in the scenario above by immediately removing inappropriate access. The action of removing the user’s access allows the ability to define the “exposure risk” period. In this case, the period would be from the date the inappropriate access was granted, through the date the inappropriate access was removed.
How Is Unmitigated Risk Addressed?
The exposure risk is a period of time where the user could have inappropriately accessed roles they were not supposed to have and performed malicious actions. This level of risk can also be assessed based on the type of inappropriate access provisioned. There is a higher risk around administrator roles with production access compared to a user with read-only access.
Ease of mitigation will be based on the system configurations and if activity logging is enabled and retained. For our example deficiency, the company can look at the user’s last login date to the network or the account as they may not have logged in during the exposure risk period. Activity logs are also beneficial for mitigating this deficiency to determine precise actions that were performed if the user did access their account during the exposure period.
The auditor may ask you about compensating controls for this deficiency. These are usually going to be detective controls that would enhance risk mitigation, such as user access reviews and activity log reviews. Keep in mind that knowledge base and competency cannot be a control. If the user doesn’t have the background to exploit the inappropriate access this does not completely remove the risk around the deficiency.
What Is the Root Cause of the Deficiency?
We removed the inappropriate access and determined that the person didn’t do anything – is this fixed? Not yet. To properly remediate a deficiency, we need to understand how the deficiency occurred in the first place; what is the root cause? Maybe the approving manager didn’t understand the extent of the roles. Could it be a case of human error that accidentally selected excessive access when granting it in the system? Was the initial request unclear or illegible and the provisioner didn’t have time to clarify? Understanding the root cause is crucial to ensuring a proper remediation plan and preventing this deficiency from occurring again.
What if There Are Multiple Deficiencies?
When multiple deficiencies occur within the environment an aggregation assessment is performed to determine if the deficiencies, when combined, rise to a conclusion higher than a deficiency. Multiple deficiencies may jeopardize objectives in a SOC 1 report or the criteria in a SOC 2 report.
How Do We Remediate the Audit Deficiency?
The roadmap of your remediation should consider the action required by management to prevent the deficiency from occurring again. For example, if the root cause is human error, management should retrain the relevant employees to help them gain an understanding of why it’s important to provide the right access. Could the entire provisioning process be improved? The roadmap should also include the timeline of when management would like the updates executed. Depending on the severity of the deficiency, management may need to consider elevating the knowledge of the deficiency to the BOD or Executive Management Team.
When Does the Auditor Retest the Control?
Management is encouraged to independently test the updated process prior to walking the auditor through it. Once management confirms the process has been remediated, the auditor will perform formal testing post-remediation to arrive at an updated conclusion. A conclusion from remediation will not overwrite a deficient conclusion, however, it can help by narrowing down the period of time the deficiency was open within the report.
How Will a Deficiency Show Up In the SOC 2 Report?
Section IV of the SOC report includes control conclusions. The control which failed will be identified noting a testing exception. A deficiency, or a series of deficiencies, may rise to the conclusion of a qualification. An audit report qualification will be noted in Section I, the Independent Service Auditor’s Report.
Audit Tip: Prior to conducting a SOC report, there is an option for readiness testing, which will determine if there are gaps within the environment and will allow the client to remediate the gaps prior to the beginning of the audit period.
Can the Auditor Identify Deficiencies in Internal Control?
Yes, auditors may identify deficiencies in internal control throughout the course of an audit. However, deficiencies can also be found by anyone within the company being audited. All employees and contractors need to be empowered and provided the process to alert the proper channels when they find deficiencies or inconsistencies within the environment. When someone within the company identifies a deficiency, it is best to bring it up with your auditor as soon as possible.
Your auditor will most likely find it regardless and informing them can save time and budget by pointing it out early on. Delaying discussions around known deficiencies may delay the issuance of your report. While deficiencies can be found by auditors, auditors provide reasonable assurance, not absolute assurance for an environment.
How Do You Prevent Deficiencies?
Preventing deficiencies is a combined effort between everyone within the company. The Company must have an irrefutable security posture that is understood and appreciated across the entire organization. Employees and contractors should be made aware of their impact on security compliance.
Understanding the risks of the company will allow management to focus on areas where deficiencies are most likely to occur. Companies should encourage personnel of all levels to raise concerns and suggestions about the security of the organization. Additionally, consider including multiple departments and levels of management in risk-awareness meetings. Once areas of risk are detected, management should implement additional procedures around areas where deficiencies are at higher risk.
For example, when a control owner leaves their position the processes that they oversaw need to be properly transitioned to a new control owner. Management can track ownership of controls and the movement of responsibilities through spreadsheets, if needed.
What Are Other Examples of SOC 2 Deficiencies?
Deficiencies can be specific to the type of audit you are undergoing, the time of year, and the industry. A few other SOC 2 audit deficiencies:
- Untimely communication between departments during the process of removing access for terminated users, thus leaving users with access past their date of termination.
- Users have the ability to develop and push changes to the production environment with no systematic restrictions or mitigating controls in place.
- Security configurations for user endpoints (e.g. workstations) are not being monitored by management to detect when they are out of compliance.
Hopefully, this article helps you feel prepared to know what to expect when a deficiency is found within your environment. Your service auditor should be well-versed in the audit requirements but also prepared to provide guidance when deficiencies are detected. If you have questions on SOC 1 or SOC 2 audits, please contact us and request a consultation.
This article was originally published on 5/4/2021 and was updated on 5/10/2023.
Hilary has eight years of IT audit and assurance experience. Prior to starting at Linford & Co, Hilary worked for Deloitte managing audit readiness assessments, Sarbanes-Oxley 404 and SOC examinations, and complex remediation procedures. Hilary is a certified information systems auditor (CISA), holds a Master’s Degree in Accounting from the University of Colorado-Denver and a Bachelor’s in Business Administration from Colorado State University.